为什么 shadowLastChange 是一个未知的属性?

为什么 shadowLastChange 是一个未知的属性?

我正在尝试在 Oracle Linux 7 上安装 slapd,并按照Oracle® LinuxAdministrator's Guide for Release 7 中的“配置 LDAP 服务器”部分。当我进行到第 7 步,导入配置 ldif 时,出现错误:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1

当我在调试模式下运行 slapd 时:

/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:/// ldaps:///" -d 255

我看到以下错误,表明属性shadowLastChange未知。

58daa3a6 <<< dnPrettyNormal: <dc=ams,dc=sim,dc=mil>, <dc=ams,dc=sim,dc=mil>
58daa3a6 slapd: line 0: unknown attr "shadowLastChange" in to clause
58daa3a6 <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>
<attrlist> ::= <attr> [ , <attrlist> ]
<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
        [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
        [dnattr=<attrname>]
        [realdnattr=<attrname>]
        [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
        [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
        [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
        [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]
        [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<style> ::= exact | regex | base(Object)
<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex
<attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children
<peernamestyle> ::= exact | regex | ip | ipv6 | path
<domainstyle> ::= exact | regex | base(Object) | sub(tree)
<access> ::= [[real]self]{<level>|<priv>}
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
<control> ::= [ stop | continue | break ]
dynacl:
        <name>=ACI      <pattern>=<attrname>

58daa3a6 olcAccess: value #0: <olcAccess> handler exited with 1!

如果我采用以下方式:

olcAccess: to attrs=shadowLastChange
  by self write
  by * read

出来,它工作正常,但我想知道系统是否坏了。当我shadowLastChange在 中查找时/etc/openldap,我发现它存在于nis.ldif和 中nis.schema

$ grep -rn shadowLastChange /etc/openldap/
/etc/openldap/schema/nis.ldif:36:olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY integ
/etc/openldap/schema/nis.ldif:89:  $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive
/etc/openldap/schema/nis.schema:65:attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
/etc/openldap/schema/nis.schema:171:    MAY ( userPassword $ shadowLastChange $ shadowMin $

为什么是shadowLastChange未知的?我需要做什么才能在配置过程中解决这个问题,slapd以便能够对用户进行身份验证?

答案1

看起来shadowLastChange它还不是您服务器架构的一部分,因为它没有出现在中/etc/openldap/slapd.d/cn=config/cn=schema/cn={x}nis.ldif

您是否忘记将建议的行添加到您的 ldif 中?

include file:///etc/openldap/schema/cosine.ldif

include file:///etc/openldap/schema/nis.ldif

include file:///etc/openldap/schema/inetorgperson.ldif

答案2

Oracle® LinuxAdministrator's Guide for Release 7 中的“配置 LDAP 服务器”部分让用户在步骤 7 中创建 LDIF 文件。

# Load the schema files required for accounts
include file:///etc/openldap/schema/cosine.ldif

include file:///etc/openldap/schema/nis.ldif

include file:///etc/openldap/schema/inetorgperson.ldif

# Load the HDB (hierarchical database) backend modules
dn: cn=module,cn=config
objectClass: olcModuleList

如图所示OpenLDAP 的 LDIF 手册页,的语法include要求其后跟一个冒号。添加冒号可得到以下内容,并且 shadowLastChange 将在步骤 8 中执行时作为属性存在。

# Load the schema files required for accounts
include: file:///etc/openldap/schema/cosine.ldif

include: file:///etc/openldap/schema/nis.ldif

include: file:///etc/openldap/schema/inetorgperson.ldif

# Load the HDB (hierarchical database) backend modules
dn: cn=module,cn=config
objectClass: olcModuleList

相关内容